sheppy/opendesk
1
0
Fork 0
mirror of https://gitlab.opencode.de/bmi/opendesk/deployment/opendesk.git synced 2025-12-07 07:51:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(helmfile): Allow usage of pre-defined CA certificates.

Browse Source
This commit is contained in:
Thorsten Roßner
2024-11-19 14:43:33 +01:00
parent c06e0bb8d4
commit 0738fa080d
2 changed files with 67 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
docs/enhanced-configuration/self-signed-certificates.md
View File

@@ -6,10 +6,10 @@ SPDX-License-Identifier: Apache-2.0
<h1>Self-signed certificate and custom Certificate Authority (CA)</h1>
<!-- TOC -->
* [Use case](#use-case)
* [Configuration](#configuration)
* [Option 1: Bring Your Own Certificate](#option-1-bring-your-own-certificate)
* [Option 2: Use cert-manager.io](#option-2-use-cert-managerio)
* [Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate](#option-2a-use-cert-managerio-with-auto-generated-namespace-based-root-certificate)
* [Option 2b: Use cert-manager.io with pre-defined/shared root-certificate](#option-2b-use-cert-managerio-with-pre-definedshared-root-certificate)
<!-- TOC -->
Deploying openDesk into an environment with custom public key infrastructure (PKI) that is usually not part of
@@ -48,10 +48,10 @@ CA certificate as X.509 encoded (`ca.crt`) and as jks trust store (`truststore.j
1. Create a Kubernetes secret with name `opendesk-certificates-keystore-jks` with key `password` and as value the jks
trust store password.
## Option 2: Use cert-manager.io
## Option 2a: Use cert-manager.io with auto-generated namespace based root-certificate
This option is useful, when you do not have a trusted certificate available and can't fetch a certificate from
Lets Encrypt.
Lets Encrypt. It will result in a cert-manager managed root certificate in the namespace you deploy openDesk into.
1. Create self-signed cert-manager.io Cluster Issuer:
```yaml
@@ -70,3 +70,38 @@ Lets Encrypt.
name: "selfsigned-issuer"
selfSigned: true
```
## Option 2b: Use cert-manager.io with pre-defined/shared root-certificate
Use this approach if you like to use a pre-created CA root certificate that can be "shared" (as copy) between
multiple namespaces in a cluster.
1. Create self-signed cert-manager.io Cluster Issuer root certificate the same was as in *Option 2a*.
1. Create the root certificate for the previously created CA, in the example it is placed into the namespace `cert-manager`.
```yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: opendesk-root
namespace: cert-manager
spec:
isCA: true
commonName: opendesk.eu
secretName: opendesk-root-cert-secret
subject:
organizations: "openDesk cluster root certificate organization"
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
```
1. Copy this cert's secret into the/each namespace you want to make use of the cert.
1. Create issuer in the/each namespace you want to make use of the cert.
The latter two steps are part of the `env-start:` section within [`.gitlab-ci.yml`](../../.gitlab-ci.yml).